Privacy Policy

Effective Date: March 8, 2026 | Last Updated: March 8, 2026

1. Introduction

Your privacy is important to us. This Privacy Policy explains how Heimat LLC, a Wyoming limited liability company doing business as RealBody.AI ("Company," "we," "us," or "our"), collects, uses, stores, shares, and protects your personal information when you visit our website at https://realbody.ai or use our LLC formation and business services platform (collectively, the "Platform").

We are committed to handling your personal information — especially sensitive data like your Social Security Number — with the highest standards of security and discretion. Please read this Policy carefully. By using our Platform, you agree to the practices described herein.

This Policy applies to all users of the RealBody.AI platform, including visitors, registered users, and paying customers. It does not apply to information collected by third parties who may link to or be accessible from our Platform.

Questions about this Policy? Contact us at support@realbody.ai.

2. Information We Collect

We collect the following categories of information:

2.1 Account Data

Name: Your legal full name, as you provide it during registration
Email address: Used for account access, notifications, and communications
Password: Stored as a cryptographic hash — we never store your password in plaintext
Account creation date and account settings

2.2 Identity Verification Data (KYC)

To comply with our obligation to verify the identity of customers forming legal entities, we require identity verification through our KYC partner, Persona. This process collects:

Government-issued photo ID (e.g., passport, driver's license) — front and back images
Selfie or liveness video for biometric comparison against the ID
Date of birth
Address

This data is collected and processed by Persona. Please review Persona's Privacy Policy at withpersona.com. See Section 6 regarding KYC data retention.

2.3 Social Security Number (SSN) / ITIN

If you are a U.S. person applying for an EIN through our platform, we collect your SSN or ITIN solely for the purpose of completing IRS Form SS-4. See Section 4 (SSN Handling) for complete details on how we protect this data.

2.4 LLC Formation Data

Desired LLC name and any alternatives
Business purpose / nature of business
Chosen AI entity name (if applicable to your service tier)
Member/manager information as required for your Articles of Organization
Registered agent selection and confirmation

2.5 Payment Data

Payments are processed by Stripe, Inc. We do not collect or store your credit card number, CVV, or full payment card details. We receive from Stripe only: the last four digits of your card, card brand, expiration date, billing address (for fraud prevention), and payment status/transaction IDs. Stripe's handling of your payment data is governed by Stripe's Privacy Policy.

2.6 Usage and Technical Data

IP address and approximate geographic location (country/city level)
Browser type and version
Operating system
Pages visited on our Platform, time spent, and navigation paths
Referring URLs
Session identifiers and authentication tokens
Error logs (excluding any sensitive data fields)

2.7 Communications Data

Support emails and tickets you send to us, including their content
Your responses to any surveys or feedback requests
Records of notifications we have sent you

2.8 Information We Do NOT Collect

We do not collect your SSN except as described in Sections 2.3 and 4
We do not collect cryptocurrency private keys (they are generated, displayed once, and deleted — see Section 2.9 below)
We do not access your business bank account transactions (managed directly by Unit.co / i3 Bank)

2.9 Wallet Data

When you use our wallet generation service, we generate an Ethereum-compatible wallet address and private key on your behalf. The private key is displayed to you once and immediately deleted from our systems. We retain only your public wallet address for reference in your account. We never have access to your funds or private key after generation.

3. How We Use Your Information

Purpose	Data Used	Legal Basis
LLC formation — filing Articles of Organization with Wyoming SOS	Name, address, formation data, account data	Contract performance; legal obligation
EIN application — completing and submitting IRS Form SS-4	SSN/ITIN, name, formation data	Explicit consent; contract performance
Identity verification (KYC)	Government ID, selfie, date of birth	Legal obligation; legitimate interests (fraud prevention)
Payment processing and billing	Payment data, account data	Contract performance
Account management and customer support	Account data, communications data	Contract performance; legitimate interests
D-U-N-S number registration	Formation data, name, address	Contract performance
Phone number provisioning	Name, address, account data	Contract performance
Platform security and fraud prevention	Usage data, IP address, account data	Legitimate interests
Legal compliance and regulatory obligations	All relevant data	Legal obligation
Service-related communications (account notifications, renewal reminders)	Email, account data	Contract performance; legitimate interests
Platform improvement and analytics (aggregated, non-identifiable)	Usage data	Legitimate interests

We do not use your personal information for behavioral advertising, profiling, or sale to third parties.

4. SSN Handling — Dedicated Security Section

This section describes in detail how we handle your Social Security Number (SSN) or Individual Taxpayer Identification Number (ITIN), which we treat as the most sensitive category of personal data on our platform.

4.1 Why We Collect It

The IRS requires that a Responsible Party's SSN or ITIN be listed on Form SS-4 to issue an EIN. We collect this information for one purpose only: to complete and submit IRS Form SS-4 on your behalf as your authorized Third Party Designee. There is no other use.

4.2 Transmission Security

Your SSN is transmitted from your browser to our servers exclusively over TLS 1.2 or higher (HTTPS) encrypted connections. It is never transmitted in plaintext. Our platform enforces HTTPS at all times and does not accept unencrypted connections.

4.3 Storage Security

Your SSN is stored in our database using AES-256-GCM encryption with a securely managed encryption key stored separately from the encrypted data. Your SSN is never stored in plaintext at any point — not in the database, not in application logs, not in error logs, not in backup files, and not in any monitoring or analytics system.

4.4 Access Controls

Access to the encryption key and the ability to decrypt SSN data is restricted to the automated systems that execute the Form SS-4 filing process. No human employee has routine access to SSN data in decrypted form. Any exceptional access would require elevated authorization and would be logged.

4.5 Use Limitation

Your SSN is used exclusively to populate the appropriate fields on IRS Form SS-4 and to submit that form to the IRS. It is not used for any other purpose, not cross-referenced with other data, and not included in any analytics or reporting.

4.6 Sharing

Your SSN is shared only with the IRS as part of Form SS-4. It is not shared with any other third party — not Stripe, not Persona, not Unit.co, not Telnyx, not D&B. We do not sell, rent, or trade your SSN under any circumstances.

4.7 Deletion

Upon confirmation that your EIN has been issued by the IRS, your SSN is permanently deleted from our systems within 24 hours. "Permanently deleted" means it is removed from the primary database, purged from any backup that was taken after EIN issuance, and confirmed deleted. After deletion, we retain only your EIN (which is not sensitive and is necessary for account records).

4.8 If EIN Application Fails

If an EIN application is rejected by the IRS or cannot be completed, we will retain your SSN only for as long as is necessary to resolve the issue (e.g., correct the application and resubmit) and will delete it within 24 hours of final resolution. We will notify you of the status and the expected deletion timeline.

5. Third-Party Service Providers

We work with the following third-party service providers who may process your data on our behalf:

Provider	Purpose	Data Shared	Privacy Policy
Persona	Identity verification (KYC)	Government ID images, selfie, date of birth, name, address	withpersona.com
Stripe, Inc.	Payment processing	Payment card data, billing address, transaction amounts	stripe.com/privacy
Unit.co / i3 Bank	Business banking services (U.S. customers only)	Name, address, formation data, as required for account opening	unit.co
Telnyx LLC	Business phone number provisioning	Name, business address, number request	telnyx.com
Dun & Bradstreet (D&B)	D-U-N-S Number registration	Business name, address, formation data, contact info	dnb.com
Resend	Transactional email delivery	Email address, email content	resend.com
Vercel / Hosting Provider	Platform hosting and content delivery	Usage data, IP addresses (passed through infrastructure)	vercel.com
Internal Revenue Service (IRS)	EIN application (Form SS-4)	SSN/ITIN, name, formation data	U.S. government agency — subject to federal privacy law
Wyoming Secretary of State	LLC formation filing	Formation data, name, registered agent info	State government — public record

All third-party providers are selected based on their ability to maintain appropriate security standards. We do not sell, rent, or trade your personal information with any party not listed above.

Note on public records: Information included in your Wyoming Articles of Organization (LLC name, registered agent, principal office address) becomes part of the public record maintained by the Wyoming Secretary of State. This is a legal requirement of LLC formation, not a choice made by RealBody.AI.

6. KYC Data Retention

Identity verification data (government ID images, selfie/liveness data, and associated verification results) collected through Persona is subject to Persona's own data retention policies, which are designed to comply with applicable anti-money laundering (AML) and Know Your Customer (KYC) regulatory requirements.

These regulations typically require retention of identity verification records for a period of five (5) years or longer from the date of verification, depending on the applicable jurisdiction and regulation. Persona retains this data on our behalf in accordance with their legal obligations and their privacy policy.

You may request information about Persona's retention practices by contacting support@realbody.ai, and we will facilitate your inquiry with Persona. Please note that we may not be able to fulfill deletion requests for KYC data where retention is required by law.

7. Data Retention

Data Category	Retention Period	Reason
Account data (name, email, account history)	Duration of account + 7 years after closure	Legal and tax record-keeping obligations
SSN / ITIN	Deleted within 24 hours of EIN confirmation (or resolution of failed application)	Minimization — no longer needed after EIN issuance
Identity verification (KYC)	Per Persona's retention policy (typically 5+ years)	AML/KYC regulatory requirements
LLC formation documents	Duration of account + 7 years	Legal and tax record-keeping obligations
Payment records and invoices	7 years	Tax record-keeping; legal compliance
Payment card data	Per Stripe's policy (we retain only last 4 digits, expiry, token)	Stripe manages full card data; we retain only what is necessary for billing management
Support communications	3 years from last interaction	Customer service continuity; dispute resolution
Usage and technical data (logs)	90 days	Security monitoring; debugging
Crypto wallet public address	Duration of account	Account reference — private key is deleted immediately after display

When data is deleted, we take steps to ensure it is removed from active databases, backup systems (within normal backup cycle), and any derived datasets.

8. Data Security

We implement industry-standard and, where appropriate, above-standard security measures to protect your personal information:

Encryption at rest: Sensitive data (including SSN/ITIN) is encrypted using AES-256-GCM. Account passwords are hashed using a strong one-way cryptographic hash function with appropriate salting.
Encryption in transit: All communications between your browser and our servers are encrypted using TLS 1.2 or higher. We enforce HTTPS-only access and use HSTS (HTTP Strict Transport Security).
Access controls: Access to personal data is restricted to personnel and automated systems with a legitimate need. Administrative access requires multi-factor authentication. Access to SSN data is further restricted to automated systems only.
Infrastructure security: Our platform is hosted on enterprise-grade infrastructure with network-level security controls, regular vulnerability scanning, and security patching protocols.
Incident response: We maintain an incident response plan. In the event of a data breach that affects your personal information, we will notify you and relevant authorities as required by applicable law (including within 72 hours under GDPR where applicable).
Vendor security: We require our third-party service providers to maintain security practices consistent with industry standards and applicable legal requirements.

No security system is impenetrable. While we take extensive measures to protect your data, we cannot guarantee absolute security. In the event of a breach, we will notify affected users promptly and take all reasonable steps to mitigate harm.

9. Your Rights — California Residents (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):

9.1 Right to Know

You have the right to request that we disclose: the categories and specific pieces of personal information we have collected about you; the categories of sources from which we collected it; the business or commercial purposes for collecting it; and the categories of third parties with whom we have shared it.

9.2 Right to Delete

You have the right to request that we delete personal information we have collected from you, subject to certain exceptions (e.g., data we are legally required to retain).

9.3 Right to Correct

You have the right to request correction of inaccurate personal information we maintain about you.

9.4 Right to Opt-Out of Sale or Sharing

We do not sell, rent, or share your personal information for cross-context behavioral advertising. There is nothing to opt out of. We do not have a "Do Not Sell" process because we do not sell data.

9.5 Right to Limit Use of Sensitive Personal Information

Sensitive personal information (such as your SSN) is used only to provide the specific service for which it was collected (EIN filing). We do not use it for any other purpose.

9.6 Right to Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. We will not deny you services, charge different prices, or provide a different quality of service because you exercised your privacy rights.

9.7 How to Exercise Your Rights

To exercise any of the above rights, contact us at:

Email: support@realbody.ai — include "CCPA Privacy Request" in the subject line
We will respond to verifiable requests within 45 days (extendable by an additional 45 days with notice)
We may need to verify your identity before processing your request
You may designate an authorized agent to submit requests on your behalf; agents must provide written authorization

10. Your Rights — EU / International Users (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction with comprehensive data protection laws, you have the following rights under the General Data Protection Regulation (GDPR) or equivalent applicable law:

Right of Access: The right to obtain a copy of the personal data we hold about you
Right to Rectification: The right to have inaccurate personal data corrected
Right to Erasure ("Right to be Forgotten"): The right to request deletion of your personal data, subject to legal retention obligations
Right to Data Portability: The right to receive your personal data in a structured, commonly used, machine-readable format
Right to Object: The right to object to processing based on legitimate interests
Right to Restrict Processing: The right to request that we limit the processing of your personal data in certain circumstances
Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal

10.1 International Data Transfers

RealBody.AI is operated from the United States. If you are located outside the United States, your personal data will be transferred to and processed in the United States. These transfers are conducted under appropriate safeguards, including Standard Contractual Clauses (SCCs) as approved by the European Commission, to ensure your data receives a level of protection consistent with GDPR requirements.

10.2 Lawful Basis for Processing

We process personal data under the following lawful bases: (a) contract performance — to provide services you have requested; (b) legal obligation — to comply with applicable laws; (c) legitimate interests — for fraud prevention, platform security, and service improvement; and (d) consent — for SSN collection and where otherwise required.

10.3 Exercising Your Rights

To exercise your GDPR rights, email support@realbody.ai with "GDPR Data Request" in the subject line. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

11. Cookies and Local Storage

We use minimal tracking technologies on the RealBody.AI platform:

11.1 Cookies We Use

Session authentication cookie: A secure, HTTP-only, same-site cookie used to maintain your login session. This cookie is essential for the platform to function and is deleted when you log out or your session expires. It contains only a session token — no personal data.
CSRF protection cookie: Used to prevent cross-site request forgery attacks. Essential for security.

11.2 Local Storage

Theme preference: If you set a display preference (e.g., light or dark mode), this preference is stored in your browser's localStorage. This is purely functional and contains no personal data.

11.3 What We Do NOT Use

No third-party advertising or tracking cookies
No cross-site tracking or behavioral profiling
No analytics cookies that identify you individually (we may use aggregated, non-identifiable analytics)
No persistent tracking pixels

Because we use only essential cookies and functional local storage, we do not display a cookie consent banner. If this changes in the future, we will update this Policy and seek appropriate consents.

12. Children's Privacy

The RealBody.AI platform is intended solely for use by individuals who are at least 18 years of age and have the legal capacity to form a limited liability company. We do not knowingly collect personal information from anyone under 18 years of age.

If we discover that we have inadvertently collected personal information from a minor, we will delete that information promptly. If you believe we have collected information from a minor, please contact us immediately at support@realbody.ai.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. When we make material changes, we will:

Post the updated Policy on this page with a new "Last Updated" date
Send you an email notification at least 30 days before the changes take effect

For non-material changes (e.g., clarifications, formatting, or changes that do not affect how we use your data), we may update this page without prior notice.

Your continued use of the Platform after the effective date of the updated Policy constitutes your acceptance of the changes. If you disagree with any changes, you may cancel your account and request deletion of your data.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Heimat LLC d/b/a RealBody.AI
Privacy Inquiries
30 N Gould St Ste R
Sheridan, WY 82801
support@realbody.ai

For CCPA requests, include "CCPA Privacy Request" in the subject line.
For GDPR requests, include "GDPR Data Request" in the subject line.
For all other privacy inquiries, include "Privacy Inquiry" in the subject line.

We aim to respond to all privacy-related inquiries within 10 business days for general inquiries and within the legally required timeframes for formal rights requests.